[Japanese]

JVNDB-2021-000074

Multiple vulnerabilities in RevoWorks Browser

Overview

RevoWorks Browser provided by J's Communication Co., Ltd. is a virtual browser which enables internet isolation.
It provides the function that enables access to drives, folders, files, and registries under the isolated environment from the local environment when running the web browser.
RevoWorks Browser contains multiple vulnerabilities listed below due to the improper control of access and program execution between the local environment and the isolated environment.

* Improper control of Program execution (CWE-114) - CVE-2021-20790
* Improper access control (CWE-284) - CVE-2021-20791

J's Communication Co., Ltd. reported these vulnerabilities to IPA to notify users of the solution through JVN. JPCERT/CC and J's Communication Co., Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20790


CVSS V3 Severity:
Base Metrics 5.2 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.2 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20791
Affected Products


J's Communication Co., Ltd.
  • RevoWorks Browser 2.1.230 and earlier

According to the developer, RevoWorks Browser 2.0.x is not affected by these vulnerabilities.
Impact

* An arbitrary command or code may be executed on the web browser of the user which is running under the isolated environment - CVE-2021-20790
* Unauthorized files may be exchnaged between the local environment and the isolated environment or settings of the web browser may be altered - CVE-2021-20791
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released RevoWorks Browser 2.2.50 that addresses the vulnerabilities.
Vendor Information

J's Communication Co., Ltd.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20790
  2. CVE-2021-20791
References

  1. JVN : JVN#81658818
  2. National Vulnerability Database (NVD) : CVE-2021-20790
  3. National Vulnerability Database (NVD) : CVE-2021-20791
Revision History

  • [2020/09/10]
      Web page was published